National data security standards are better than PIN

The National Retail Federation (NRF) has launched an ad campaign to advocate for “uniform national” data breach standards for “all affected industries.”

Welcome to the cause. The financial services industry already is subject to uniform standards and continually has fought for national rules to cover all affected industries.

ADVERTISEMENT

Retailers opposed these efforts. Instead groups like the Retail Industry Leaders Association push lawmakers and regulators to instead adopt a government mandate that would cost billions to implement and do little to protect consumers.

Barclays of London introduced Personal Identification Numbers (PINs) in 1967, the year the Beatles and Monkees battled for the top of the charts. That music is timeless. PIN is not. Because PINs are a static data element, they don’t protect against counterfeit or card not present (CNP) fraud, which together account for about 85 percent of total U.S. card fraud.

According to the Aite Group, it would cost retailers $4 billion to fully implement PIN. That expense would be worthy if it adequately protected consumers, but it wouldn’t. In fact, an Aite analyst concluded mandating PIN would be “difficult to justify.”

An Electronic Payments Coalition study also proved a PIN mandate would be ineffective. Examining Euromonitor International data, EPC found the cardholder verification method (CVM) used with electronic payment cards has no bearing on a country’s overall payment card fraud rate. In plain English: it doesn’t matter whether a consumer uses a signature or PIN to verify purchase. What matters is whether the card incorporates advanced technologies designed to stay ahead of criminals.

EPC examined card fraud data in 18 major economies, including the United States. Twelve predominantly use PIN as their CVM, while six use signature. Of the 12 PIN-dominant countries, seven saw above-average normalized fraud over the past five years. The rest experienced below-average normalized fraud. Among the six signature-dominant countries, three experienced below-average normalized fraud and three experienced above-average normalized fraud. If PINs were more effective than signatures, one would expect most PIN countries to have lower normalized fraud.

PINs also may not adequately defend against lost or stolen card fraud. France and Australia, early adopters of chip-and-PIN, saw an increase in lost or stolen card fraud over the last decade. One possible cause of this counterintuitive outcome is that counterfeiters can obtain a cardholder’s PIN by pairing a skimming device with a pinhole camera near the numerical touchpad, rendering the static PIN ineffective. Something similar happened at Forever 21. Hackers used malware on the retailer’s point of sale devices to copy credit card numbers, expiration dates, and PINs.

This is just one example that proves investing in technology is far more effective than relying on an idea introduced when The Andy Griffith Show topped TV ratings.

Smartcards are another. While the CVM associated with a smartcard doesn’t matter, chips inside the cards do. Euromonitor data revealed counterfeit fraud in countries where smartcards are dominant is less than half of what it is in countries where those cards are rare. In its December 2016 Payments Study, the Federal Reserve drew a similar conclusion. Visa data show counterfeit fraud at smartcard-enabled merchants is down 70 percent since the transition to smartcards began.

Smartcards still will not be enough. The Fed and EPC also found countries experienced increases in other types of fraud, including online fraud, after smartcards were adopted.

To stay ahead of criminals, the payments ecosystem must work together. The costs of retailer underinvestment in technology and other data security resources are socialized back through the system to financial institutions, networks and consumers. Fraud directed at financial institutions frequently has its origins in retailer data breaches. While our industry has successfully protected its customers post-breach, retailers’ security gaps add substantial costs. Financial institutions are implementing new technologies like point-to-point encryption, tokenization, and biometrics to further protect consumers.

Putting in place national data security and breach standards also will help, which is why the financial services industry has led the way here as well. Retailers, meanwhile, focused on mandating the use of a 51-year-old static data element.

We can still enjoy the Monkees, Beatles, and Andy Griffith, but when it comes to payments security, we can’t live in 1967. We’re pleased merchants are finally ready for an upgrade.

Tassey manages the Electronic Payments Coalition, which includes financial services entities that move electronic payments quickly and securely between millions of merchants and consumers across the globe.